From owner-freebsd-questions@FreeBSD.ORG Wed Sep 26 11:05:07 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 383DC16A421 for ; Wed, 26 Sep 2007 11:05:07 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.239]) by mx1.freebsd.org (Postfix) with ESMTP id D749813C467 for ; Wed, 26 Sep 2007 11:05:06 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by hu-out-0506.google.com with SMTP id 28so1094189hub for ; Wed, 26 Sep 2007 04:05:05 -0700 (PDT) Received: by 10.78.140.16 with SMTP id n16mr386846hud.1190804704334; Wed, 26 Sep 2007 04:05:04 -0700 (PDT) Received: from smtp.home.rakhesh.com ( [82.178.138.182]) by mx.google.com with ESMTPS id 38sm365104hua.2007.09.26.04.05.01 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 26 Sep 2007 04:05:02 -0700 (PDT) Received: from dogmatix.home.rakhesh.com (dogmatix.home.rakhesh.com [192.168.17.31]) by smtp.home.rakhesh.com (Postfix) with ESMTP id 1C1D81140D for ; Wed, 26 Sep 2007 15:02:27 +0400 (GST) Date: Wed, 26 Sep 2007 15:02:26 +0400 (GST) X-X-Sender: rakhesh@dogmatix.home.rakhesh.com To: freebsd-questions@freebsd.org In-Reply-To: <46F910EE.6070005@cyberleo.net> Message-ID: <20070926145429.B65660@dogmatix.home.rakhesh.com> References: <20070925150058.J79029@dogmatix.home.rakhesh.com> <46F910EE.6070005@cyberleo.net> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Subject: Re: Confusion on SSH and PAM X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 11:05:07 -0000 CyberLeo Kitsana wrote: > Rakhesh Sasidharan wrote: >> Any ideas or nudges in the right direction as to why this is happening? >> Looks like I've understood the interaction between SSH and PAM wrong >> here, so would appreciate some enlightenment. > > According to my understanding of the SSH protocol, you're continually > asked because an authentication failure is not a fatal error. > > When authenticating an SSH session, a list of mutually supported methods > is compiled (public-key, challenge-response, S/Key, > keyboard-interactive, plaintext) and the client cycles through the list > based on what it thinks is most likely to work. > > It's perfectly acceptable for a client to attempt password > authentication before public-key, or even interleave them. All the > server can do is say yay or nay to an attempt with a restricted method, > because it cannot know if the next attempt may utilize an allowed method. > > After the requisite three or five failed attempts (depending on the > server config), it may send a general failure code (too many failed > attempts) and disconnect the client at it's discretion. Here's another oddity I encountered today. If "PermitRootLogin" is set to "forced-commands-only", my understanding is the SSHD will permit root logins if a command to be executed is given. But that doesn't seem to be the case in practice! I have keys setup for root to login, but instead of letting me in with those keys, SSHD ignores them, passes me to PAM for password prompting (three times) and the denies me out! Very strange. I even setup a "Match User" clause for root and specified a command to run. Still, SSHD refuses to let me in with/ without key and for a specific command. Regards, - Rakhesh http://rakhesh.net/